You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

So recently I downloaded something and avast start going crazy telling it's a Trojan,I ignore it since the download seemed legit.

Anyway after running the program I got curious and scanned it with Virus Total and got a whooping 41/59,I already looked at behaviour on virus total but couldn't find anything of interest also looked with autorun and process hacker in safe mode and I also ran MalwareBytes and it seemed to not detect anything,I have also removed the .exe with avast but I'm afraid changes have already been made do services or registry so did I or didn't I ** up?

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

...

Please post the Fixldog.txt and let me know what problem persists.

I have turned on System Restore and ran the fixlist with FRST.

But before I continue I would just like to ask some things and also point out others if you wouldn't mind of course.

start
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => -> No File
#This lines are totally fine since one drive had no use to me so I decided to remove it I would guess this are the leftovers.
GroupPolicy: Restriction <======= ATTENTION
#Is this messing with group policy and if so is it disabling it?I have Windows Update configs made with this so if you could give me any info about this I would be very grateful :)
GroupPolicyScripts: Restriction <======= ATTENTION
#Again same thing as above
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
#I would guess this is just removing some IE perms witch again is fine since I don't use it at all
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-11]
CHR Extension: (Chrome Media Router) - C:\Users\Kirian\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-26]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
#I am not sure what this lines do but if I had to guess they remove reg keys? All the chrome extension I had were trusted Google Docs,2 Steam Market plugins and UBlock Origin.
S4 atillk64; \??\C:\Users\Kirian\Downloads\atiflash_274\atillk64.sys [X]
#This line remove flashing GPU ROM driver form ATIFlash(Trusted) witch for diagnosing is fine,but I guess you already know that.
S3 HWiNFO32; \??\C:\Users\Kirian\AppData\Local\Temp\HWiNFO64A.SYS [X] <==== ATTENTION
#This also removed a monitoring drive for HWInfo64(Trusted)
Task: {B4027C81-D2F3-47B7-BE83-1E70CC4B2C59} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2016-12-06] ()
C:\Windows\AutoKMS
End

Ok taking my comments in consideration do you think any of the removals were related to the trojan that I posted?

The original problem was that I didn't know if I had a problem the Virus Total analysis and boope only gave me enough info that the trojan was made as a remote access hack,so it's kind of hard knowing if the problem was solved or not since my computer is running speedy as usual.

Anyway the log is attached bellow.

P.S:I had system restore disabled because windows seems do defrag SSD if it's enabled or at least that's what I read here.

Ok starting with scan,there isn't a single detected threat by Sophos and using Process Monitor in a VM seems to not come up with much results either witch is making more more and more suspectful that it the end the setup.exe trojan might have been a false positive?I can send the setup.exe in a .zip file if that helps identifying what we should be looking for.

Anyway about the "#comments" that I made,I noticed that you didn't say anything about them so I guess you didn't seem them,so I'm going straight to what I just need to know:Did the fixlist by any means modified or disable group policy?

I have some configs with Windows Update that I would like to keep if possible.

Then, disconnect from the Internet!Next,Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.Optional if the following programs are in your computer.Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Clear you Zone map. Or Open Regedit and look at all the Zonemaps and delete what you have foud.

p.s.
Export the Zonemap registry to be safe.

I've ran the zone map script and finally finished the Log file for Process Monitor I'm going to leave the registry changes made by setup.exe and child process bellow since I'm unable to upload the whole file directly since it's 8GB (around 22 million events I think?) do you think it's better to upload the full log to another website or just split it in small 9MB parts with 7zip and post across multiple post, I also think there's a way to save as XML so I'm able to post directly on the post text instead of a file,so what should I do?

I've looked around and doesn't seem to be any suspicious file,but you can never be to careful.

I just now I'm reminded do you think that avast besides removing the infected file also reverts the changes made by it whether it be on registry or in files?

Anyway I finished looking quickly on the logs and it doesn't seem to be any harmful changes made by setup.exe on the VM,I looked mainly on the changes made in the registry so I could be wrong if you could give a quick opinion it would be very much appreciated you can view the log using Process Monitor inside the .zip attached or you can download Process Monitor directly from Microsoft here.

I have made a "major" breakthrough I managed to isolate the virus that was inside the setup.exe by using innounp and using using TextScan on the "virus".exe I managed to also found the "maker" of the virus!

I still not sure what product but I bet it's the Crypto Logger one,anyway the company is this one if you wouldn't mind taking a look.

I will also post the log of TextScan as well the .config that was beside the virus.

Hey don't worry about it you have a been a great help!I think that avast probably deleted the full threat when it deleted the setup.exe so maybe I was just being paranoid,still I will investigate just little bit more and will report any findings here.

Edit:Turns out the LogicNP just makes the obfuscator used by the .exe to hide the code ,just ran de4dot and looking through MSIL of the virus as I type this.